MIT boffins identify Tor hidden services with 88 per cent accuracy

For nothing is secret that shall not be made manifest

Boffins from the Massachusetts Institute of Technology (MIT) have demonstrated a vulnerability in Tor which, if exploited, could lead to hidden services being identified with up to 88 per cent accuracy.

Infosec bods from MIT and the Qatar Computing Research Institute (QCRI) pwned the anonymity network for a paper to be presented at this summer's Usenix Security Symposium.

The researchers demonstrated how an adversary can infer a hidden server's location, or the source of the information reaching a given Tor user. This becomes possible by analysing the traffic patterns of encrypted data passing through a single computer in the all-volunteer Tor network.

Tor, originally an acronym for "The Onion Router", wraps communications in several layers of encryption, which is supposed to allow information to be passed through a number of parties without the recipient of the traffic from being uncovered.

Hidden services are sites which use the Tor network to protect themselves in a similar fashion to the way the network anonymises users – by selecting nodes to use as "introduction points", which the network will identify while keeping the rest of its gubbins anonymous.

For the Tor network to work, it is necessary that computers exchange a large amount of data during the establishment of a connection to a hidden service.

The boffins showed that "simply by looking for patterns in the number of packets passing in each direction through a guard, machine-learning algorithms could, with 99 per cent accuracy, determine whether the circuit was an ordinary Web-browsing circuit, an introduction-point circuit or a rendezvous-point circuit."

They were able to do this through simple traffic correlation, which is available even when the traffic is encrypted.

Furthermore, by using a Tor-enabled computer to connect to a range of different hidden services, they showed that a similar analysis of traffic patterns could identify those services with 88 per cent accuracy. That means that an adversary who lucked into the position of guard for a computer hosting a hidden service, could, with 88 per cent certainty, identify it as the service’s host.

"We recommend that [the Tor project] mask the sequences so that all the sequences look the same," said Mashael AlSabah, an assistant professor of computer science at Qatar University, as well as a researcher at QCRI and a visiting scientist at MIT. To defend against that kind of attack, he added, Tor needed to "send dummy packets to make all five types of circuits look similar."

"For a while, we've been aware that circuit fingerprinting is a big issue for hidden services," said David Goulet, a developer with the Tor project. "This paper showed that it’s possible to do it passively – but it still requires an attacker to have a foot in the network and to gather data for a certain period of time."

"We are considering their countermeasures as a potential improvement to the hidden service," he added. "But I think we need more concrete proof that it definitely fixes the issue."

A spokesman for the Tor Project told The Register<i/>: "It's is a known issue that hidden service circuits are noticeable in certain situations, but this attack is very difficult to execute. The countermeasures described in the paper are interesting since the authors claim that deploying some of them would neutralize their attack and better defend against hidden service circuit fingerprinting attacks in general."

"We need more concrete proof that these measures actually fix the issue," the spokesman continued, adding: "We encourage peer-reviewed research into both attacks against and defenses of the Tor network."

It is not the first time that traffic analysis and/or correlation attacks have been proven to be effective against Tor.

A paper by Steven J Murdoch and George Danezis explained the feasibility of the "Low-Cost Traffic Analysis of Tor" (PDF) back in 2005, and the project itself continues to acknowledge that attackers spying "on multiple parts of the internet [using] sophisticated statistical techniques to track the communications patterns of many different organisations and individuals."

MIT's full press release about the MIT/QCRI study is available here. ®